An enterprise encryption policy governs the technical standards and operating procedures for the entire organization. Unfortunately many organizations either do not have an enterprise wide policy or rely on different business units to implement encryption technologies as point solutions without thought of the corporate wide impact. The lack of organizational wide encryption standards leads to inconsistent technology implementation, low or negative return on investment or the worst, needless exposure to regulatory liability for lack of data protection.
This article provides the fundamentals for designing an enterprise encryption policy to properly align corporate resources so that encryption technology is applied consistently across the organization. With proper planning, implementation and monitoring, the enterprise encryption policy can ensure the organization is properly utilizing encryption as a security control to protect business data and minimize liability.
Encryption concepts and policy impacts
From a business perspective, encryption can be summed up with the following sentence – Encryption locks data, only people with the correct key can unlock it. To get more of an understanding, let’s analyze each sentence element to explain the details and the associated policy impact in the table below:
|Sentence element||Description and Policy Impact|
|Encryption locks||Description: A computing process that uses algorithms and ciphers to transform readable data into data that cannot be read or processed.
Policy impact: The strength of encryption can be determined by different cipher and algorithm selection. If an enterprise policy does not dictate the use of the strongest encryption settings, then the encryption can be applied with weak settings thereby rendering the organization’s encryption tactics useless. The enterprise policy must specify that the strongest algorithms and ciphers be used.
|Data||Description: The information the organization is protecting.
Policy impact: Like any other security tool, encryption should be applied in a manner that supports the business need. Deciding what data to protect is very important because the organization wants to ensure the most sensitive data is protected while not wasting resources on noncritical data or information published for public consumption. The enterprise policy must use the organizations data classification policy to ensure the most critical data is protected. .
|Only people||Description: The users that will be able to decrypt the data.
Policy impact: A critical, and often overlooked aspect to an enterprise encryption policy is training. The most important element of an encryption system is the user. If they select the wrong option, fail to protect their key, or do not encrypt sensitive data, all of the organizations efforts on data protection can be wasted. Therefore, it is critical that adequate training and education be provided to the user so they use encryption effectively and in accordance with the organization’s security goals. The enterprise policy must specify training and education for users to ensure effective use of encryption.
|With the correct key||Description: This key works with the cipher to descramble the data.
Policy impact: Another core element to encryption is key management. When data is encrypted, it uses a key for both the encryption and decryption process. If that key is not protected or is not strong enough, it can either be stolen or guessed to decrypt the data originally protected. The enterprise policy must specify key size and the key protection technique.
|Can unlock it||Description: These are the users that have access to the key to decrypt the data.
It is critical that an access control policy to decrypt encrypted data is defined. Otherwise, data may be encrypted with a shared key that provides little or no access control which renders encryption useless.The enterprise security policy must specify that the key is managed properly and is only available to authorized personnel. Additionally, the policy should have an escrow element in place to clearly outline the security processes required to access decryption keys for data recovery purposes.
|Encrypt database backups||PIV Configuration Task: Configure your database backups to be encrypted
How this protects your organization: Many organizations overlook their database archives. We have seen many occasions where the entire DB is simply moved to a different network share or even offsite to a different datacenter with no security on the archive. The attacker then simply downloads this data and can read this without even a password. By using PIV encryption, a valid PIV credential and PIN is required to view the data, thereby making the data useless to an attacker.
How to structure your enterprise encryption policy
With the basics of encryption covered, the next phase is to understand what an enterprise encryption policy should include. The ultimate goal of an enterprise policy is to ensure encryption technology is being applied consistently and used correctly to ensure critical data is protected and organization risk and liability is minimized. The table below provides guidance for the minimal content consideration for the encryption policies.
|Encryption technical standards||This policy area should specify the encryption technical elements the organization must implement. For example, this policy will specify the strength of ciphers, algorithms, key sizes and key management protocols to ensure the organization securely implements encryption in a consistent manner.|
|What to encrypt||This policy area should specify what data must be encrypted. For example, most organization should use their data classification policy to determine their most critical data. Upon which, they should ensure this data is being encrypted. .|
|When to encrypt||This policy area should specify when the data should be encrypted. Below are common examples of when encryption should be applied:
|Key protection||This policy area should specify the strength of keys to be used as well as the protection mechanism to secure the respective keys. Common policy guideless are:
-The keys must be protected using multi-factor based access control
|Key escrow||This policy area should define how keys will be stored and retrieved for legal or disaster recovery purposes.|
|Training||This policy area should specify how users will be trained to use encryption technologies. Components such as user guides, computer based training and in person briefings are commonly used to train users how to effectively use encryption technologies.|
|Monitoring||This policy area should specify how the organization will ensure the encryption policy will be enforced. Common assessment activities include:
-Database assessments will be performed to verify critical data is being encrypted
Author, Implement and Monitor
Implementing an enterprise encryption policy is a challenge that will require extensive planning, testing and continuous refinement. The following framework can be utilized to enable your organization to rapidly begin to implement a policy to protect your business operations.
AUTHOR THE POLICY
Do not wait to begin this activity. Using the guidance previously discussed, create a baseline enterprise encryption policy that sets the technical standards, operating procedures and monitoring activities required to implement encryption organization wide. Although the first the version of the policy may not be perfect, it still enables the organization to prepare for the usage of encryption.
With the policy completed, create awareness programs to notify the organizational units that encryption technologies will be implemented throughout the organization. Instruct the organizational units to educate and prepare staff of the upcoming changes so they can properly implement and use encryption techniques.
In many organizations, engineers and security managers may have already implemented encryption techniques to protect data. Send out a questionnaire to determine if encryption is already being used. The sample matrix below provides different questions for different technology units.
|Security Management||Is there an encryption policy in place
Is there a key management plan in place
|Database||Are we encrypting the sensitive columns in our database?
Are the backups being stored in the clear or encrypted .
|Networking||Are we using VPN technologies for site to site connections
Are internal links being encrypted
|Mobile||Are mobile devices protected via an enterprise mobility management technology
Is containerization being used
|Desktop/server management||Are we using any of the following Full disk encryption
Encrypting file system
File or folder encryption
|Backup management||Are our backup archives being encrypted|
|Cloud Computing||Are we using encrypted storage
Do we encrypt our data before uploading to the cloud
|Cloud Computing||Are we using encrypted storage
Do we encrypt our data before uploading to the cloud
|Remote access||Are we enforcing encryption between the client and the server|
|Virtual machine management||Are we encrypting our virtual machines|
|Messaging||Do we encrypt the email messages we send|
|USB Keys||Are we using storage media that is encrypted by default|
Compile the responses from the questionnaire to determine how and where encryption is being used. Next, if encryption is being used, verify it meets the standards set within the organizational policy. If encryption is not being used for sensitive data, develop a plan to implement the encryption technologies as defined by the enterprise encryption policy.
Once the encryption technologies have been put in place, conduct periodic internal assessments to ensure the encryption standards are being implemented and used in accordance with policy.
When properly implemented, encryption is a remarkably powerful security tool that drastically reduces risk and liability. However, encryption technologies must be implemented consistently across the organization to achieve maximum effectiveness. By setting clear standards and operating procedures through an enterprise encryption policy, organizations can reap all of the benefits of strong data protection and protect themselves against needless financial losses due to data breaches.